Android stalkerware, a.k.a. spouseware, is a popular threat sold legally through various websites. Based on our telemetry, the number of detections of stalkerware in 2020 rose by 48% compared to 2019. Because of its popularity, and customers' willingness to pay and trust stalkerware vendors, we decided to inspect the most popular families to analyse their security.
We will cover over 80 different families of Android stalkerware and focus on security analyses of their code. Since stalkerware is known to spy on users, it gathers, transmits and stores user PII. Considering that, basic security principals should be followed. Most of these apps are not free. Many times the buyer of this product is in close relationship with the victim, which means that data leaks might impact both parties significantly.
We discovered serious vulnerabilities both in the Android apps and on their servers that, once exploited, could result in serious user impact such as account takeover, PII data leaks (photos, videos, phone call records, phone number, SMS, call logs, Facebook and WhatsApp messages, etc.), removing accounts without authorization, leaking of credentials over the network and on-device, admin console access without restriction, allowing identification of the buyer of the stalkerware or possibly even using fabricated evidence to frame the spied upon person.
We also identified reuse of the same source code (including the security issues) for different stalkerware products being sold under different names on different websites. This probably means that there is one group of developers controlling "different" stalkerware products.
In 64% of analysed apps we identified the possibility to extract internal data of stalkerware applications during forensics analysis that might help to identify the stalker, the period of infiltration and what data were gathered from victim’s device.
Apparently, these developers don’t care about their clients or their data: we reported various security issues to these service providers; only around 12% have fixed these issues. Some of our reports were made over a year ago. This talk will help to create an accurate picture of these shady apps, their false claims, security issues, and the developers' lack both of ethics and of responsibility to their clients and their data.
Got a question about this presentation? To get in touch with the speaker, contact Lukas on Twitter at @LukasStefanko.